science keeps me warm at night

So I dropped by the local GNC today to pick up some vitamins, and by the cash register I noticed a number of brightly coloured boxes of various "natural solutions" to minor health problems. Among them was one labeled "Comfort the Back"; its active ingredient (singular) is 1600mg of white willow bark per dose.

The box contains seven doses and costs $14.99.

That's right, for a bit over $2 per dose, you too can treat your back pain with colourfully branded aspirin.

According to the military field reports released on Wikileaks, the NYT, Der Spiegel and the Guardian known as the Afghan War Diaries, the number of enemy fatalities in Afghanistan from January 2004 to December 2009 was 15,219. Given the response of the Pentagon to the documents, I think we can safely accept this as a lower bound on the actual number.

According to the report "The Cost of Iraq, Afghanistan, and Other Global War On Terror Operations Since 9/11", prepared by Amy Belasco of the Congressional Research Service for the United States Congress, page 13, the aggregate budget authority for Operation Enduring Freedom for FY 2004 through FY 2009 was $191.2 billion. (In the interest of accuracy, note that these two timespans do not correlate exactly; the fiscal year for the U.S. military and government begins on October 1st.)

Going by these numbers, we have spent roughly $12.56 million per Afghan enemy scalp during this six-year period.

Yes, you read that right: they want to expose pregnant mothers to one of the most potent, adverse-effect-prone steroids out there in the hopes of molding unborn girls into models of femininity.

I'll give you a few minutes to find where your lower jaw rolled off to and get a glass of water -- throwing up in your mouth a little is bad for your teeth. When you get back, I'll expand a little on the current standards of practice, and then we're going to go over some organic chemistry.

Back now? Great. First, PZ got one important fact wrong: the American Academy of Pediatrics and other noteworthy medical organizations have absolutelynot condoned or endorsed this practice. The "consensus" to which PZ refers is an agreement that the study of dexamethasone as a preventative for congenital adrenal hyperplasia due to 21-hydroxylase deficiency should be conducted "via IRB-approved clinical trials through research centers large enough to obtain meaningful data" and with follow-up studies. This is, in my opinion, a reasonable position. CAH gets press because one of its effects can be ambiguous genitalia, sometimes aka "intersex", but its effects on aldosterone (one of the steroids your body produces) can lead to dehydration, hyponatremia, hyperkalemia, metabolic acidosis and death, in infancy. "Ambiguous" is also used, erm, ambiguously; it doesn't only mean "large clitoris", it also includes things like the urethra and vagina opening into a common cavity and causing severe urinary tract problems.

If there is sufficient reason to believe that prenatal dexamethasone can keep children whose genes prevent them from producing 21-hydroxylase alive, or make it possible for them to avoid difficult, expensive and painful surgery to restore urinary function, that is a valid avenue for research conducted under the auspices of an institutional review board. Attempting to tweak girls' personalities to make them more girly is way, way out of bounds, and New and Nimkarn should be censured for even suggesting the idea.

But what I really want to talk about is steroids, and what you, dear reader, do and don't already know about them.

"Steroid" is a really, really broad term. It's as broad as "sugar" or "alcohol". (The categories also overlap, which can be confusing; there are sugar alcohols and steroid alcohols.) When you think of "sugar" you probably think of that grainy white stuff you put in your coffee, and when you think of alcohol you probably think of booze -- but the picture is actually much bigger. All monosaccharides and disaccharides are sugars, including the ribose and deoxyribose that form the backbone of your RNA and DNA. Ethanol is the alcohol we drink, but it's just one of the aliphatic alcohols, which also include isopropanol (rubbing alcohol), methanol (can blind or kill you if you drink it!), xylitol (used to sweeten chewing gum), mannitol (baby laxative), ethylene glycol (antifreeze!), and glycerol (aka glycerin). I won't bore you with all the various non-aliphatic alcohol families, but there are a lot of them. So, also, with steroids.

Steroids are emphatically not just what dumb jocks inject to get really ripped really fast. (Those are certain anabolic steroids.) Just as "alcohol" refers to organic molecules with an -OH bound to a carbon atom and "sugar" refers to a particular type of carbohydrate building block, "steroid" specifically means "molecule with three six-carbon rings and one five-carbon ring in a particular arrangement". (That four-ring core is called a sterane, if you were curious.) And, wow, are there ever a lot of them. Cholesterol is a steroid. So are androgens (including testosterone), estrogens (there's more than one), and progestagens (humans only have the one, progesterone). But unless you're on hormonal birth control, taking estrogen or testosterone replacements, taking progesterone as part of fertility treatment, or otherwise tweaking your own sex hormones, if your doctor prescribes you a "steroid" it is almost certainly going to be one of the corticosteroids.

Dexamethasone is, as I said above, a glucocorticoid -- a member of the family of corticosteroids that can affect immune function. (In the interest of space, I'm going to skip the other family, the mineralocorticoids.) It is, not to put too fine a point on it, the nuclear option of corticosteroids. Long-term use -- which, for glucocorticoids, means more than a week -- causes the adrenal glands to start shutting down; stopping glucocorticoids abruptly after this has happened can cause an Addisonian crisis, which can be fatal. Even long-term use as directed frequently causes Cushing's syndrome, which has a whole raft of nasty symptoms including rapid weight gain, high blood pressure, insulin resistance, severe anxiety, and psychosis. As if that weren't enough already, long-term use also causes osteopenia, a lowering of bone density that is the precursor to osteoporosis.

Given the degree of side effects involved with long-term dexamethasone usage -- and the several weeks of treatment involved in the New and Nimkarn study constitutes "long-term" -- the "behavioral masculinization" paper rolls over from "horrible" to "sheer, unrestrained evil". They are literally advocating putting pregnant women through multiple weeks of chemical torture -- not to save lives, but in pursuit of a behavioral "ideal".

If you think this is anything even remotely resembling right, I invite you to spend a month on dexamethasone -- without medication to mitigate side effects, remember we can't give benzos to pregnant mothers because they might adversely affect the fetus! -- and find out what it does to you. The stretch marks alone -- which look more like "I lost a fight with a cage full of tigers" than "boo, cellulite" -- will last a lifetime; the psychological damage from finding out just how deep your capacity for violence and self-hatred can run may fade, eventually.

All that said, there is one extremely valid prenatal use for dexamethasone. If you're about to give birth to a premature baby younger than 34 weeks, one injection of dexamethasone 24-48 hours prior to birth will help the baby's lungs produce the surfactant which it needs to be able to breathe. (Multiple doses used to be the standard, but -- big surprise -- it turns out that the beneficial effects of multiple doses are no higher, in any statistically significant sense, than of a single dose, and the adverse effects on both mother and fetus with multiple doses are worse.) Consider the difference, though: one injection versus several weeks of dosing, sharp increase in likelihood of survival versus reinforcing social norms. It's like day and night.

What it all comes down to, in the end, is this: be an informed patient. Ask questions. When you're prescribed a medication, the minimum you need to know is:

What exact medication is this? Don't accept a category as an answer. You wouldn't hire a contractor who told you she was going to build your cabinets out of "wood"; you wouldn't hire a florist who told you he would make your anniversary bouquet out of "plants".

How long will you be on it?

What is the intended benefit of taking this medication?

What are the potential or likely adverse effects for the timeframe in which you'll be on it?

(if applicable) What are the potential interactions with any other prescription medications, over-the-counter medications, supplements, herbs, &c you take?

Doctors have a lot of training, and they do learn how to perform risk analysis, but at the end of the day, you are the one who gets to decide whether the potential benefits of any medication are worth the risks involved. You can't know the benefits or the risks unless you know exactly what you're putting in your body. Ask, and don't put up with bullshit non-answers.

Yeri "tuinslak" Tiete has been contacted by Belgian ICT minister Vincent Van Quickenborne -- on Twitter. The minister has invited Tielte to come discuss the NMBS/iRail issue with him, and states that "NMBS should be happy with your initiative."

As a recent expat I'm still learning my way around the complexities of Belgian politics, but it's very nice to see this kind of rapid, personal response -- especially from a prominent member of a party as large as Open VLD (who have slipped in power in the last few years, placing fourth among Flemish parties in the recent elections, but are still very much a going concern). I don't know how much influence Van Quickenborne has in his party, but if he can convince Open VLD as a whole to support open access to public data -- which fits in well with the party's emphasis on encouraging innovation and entrepreneurship -- that could very well lead to increased support at the polls. I'm looking forward to seeing how this continues to unfold.

Let me explain. Here in Belgium we have a public railway service in the technical sense of the term: the National Railway Company of Belgium (abbreviated NMBS in Flemish, SNCB in French) is wholly owned and operated by the government. It's an "autonomous government company", a bit like Ma Bell in the old days, but crucially, it is a nationalised system.

Up until fairly recently, an enterprising young student, who goes by the handle tuinslak, operated a site called i-rail.be. It was a rather popular mobile site which offered transit and routing information formatted for mobile phones, and did a far better job in that space than NMBS' own routeplanner (which has never been usable on mobile phones, and up until very recently was a crash-prone Web 1.0 monstrosity; it's much nicer on a regular computer now, but still not great). tuinslak informed NMBS back in 2008 that he was putting together a routeplanner for mobile users; they ignored his email until about a week ago, when they sent him a cease-and-desist order.

What burns me up is the claimed basis for the C&D. NMBS claims (translated) that i-rail "reuses the data of NMBS. This violates [NMBS'] intellectual property rights, as well as copyright and database rights."

So let me get this straight -- a nationalised company, which is to say, a company owned part and parcel by the citizens of Belgium, is claiming that a Belgian citizen's use of data generated by NMBS is in violation of intellectual property rights? By virtue of being a Belgian citizen, tuinslak has those rights himself. Whose intellectual property rights is he violating? His own?

I'm looking forward to seeing this one go before the courts. I'm not sure if tuinslak is planning on fighting it (though I'm going to contact him and find out); it's clearly something that the EFF should be interested in, and if he doesn't have a legal defense fund in place then I want to get one started.

Relatedly, Lorin Parys has an op-ed in De Standaard, calling for NMBS to put effort into a developers' API for its public information and to quit wasting time and taxpayers' money on an in-house replacement for a third-party mobile routeplanner site that clearly made a lot of people happy. I particularly liked this bit of rhetoric (again, translated):

If we can make non-personally-identifiable information from government and businesses public, we can unlock a stream of creativity and entrepreneurship. The government must lead the way, not lock the door.

If you're in the Bay Area and looking for a sysadmin with 17 years of experience and nigh-inhuman levels of dedication, let me know -- a colleague of mine got downsized when the government project he was on ran out of funding, and he's looking for the next interesting thing to do. Drop a comment or shoot me an email and I'll get you his resume.

My colleague Dan Kaminsky has released Interpolique, a defensive tool against string injection attacks. Go check it out! There's a slide deck at the page linked, and open-source code you can download.

Interpolique is an intellectual cousin of Dejector, in that both tools focus on making sure that the tree structure of a string with some variables substituted into it cannot vary from the structure that the developer originally intended. It's also related to one of the most unfortunately named security techniques ever, taint checking, in that it marks untrusted input as such. However, while taint checking tracks the spread of untrustworthiness as user input goes on to contaminate other branches of code, Interpolique actually constrains untrustworthy input from modifying safe data, and uses a simple form of static typing to ensure that string literals remain string literals all the way through to their final receiver, rather than potentially being interpolated into a command string in a way that allows them to be interpreted as input. ("Simple" isn't a criticism here, by the way, it's a compliment. They only needed two types, "safe, go ahead and interpret it" and "unsafe, this has to stay a string literal", and there was no reason to make it any more complicated than that.)

enochsmiles and I have a paper in the pipeline analyzing this technique formally (we can't spill all the beans yet, but let's just say the news is good, and by "good" I mean DECIDABLE), but while we work on that, the rest of y'all can put the code to the test. Have at, and let the rest of us know what you find out!

The source of the "Collateral Murder" video, which caused a great deal of grief for the U.S. military earlier this year, has been leaked -- by none other than former "homeless hacker" turned wannabe-reporter and government stooge, Adrian Lamo.

Hey, Lamo, hope you enjoyed your stint with the Fourth Estate. The internet can debate whether you've violated journalistic ethics till it's blue in the face, but I look at it from a pragmatic perspective: do you really think any source with an even potentially controversial story is ever going to trust a known snitch?

It takes a pretty special kind of stupid to deep-six yourself out of two completely different career fields in a mere seven years. Meanwhile, enochsmiles is sitting back and saying "I told you so."

My pals Tito Jankowski and Josh Perfetto have been working for the last, oh, nine months or so on designs for an Open Hardware thermocycler -- basically a Xerox machine for DNA. They've finished their first working prototype, and have set up a Kickstarter project to fund the process of turning this into a full working device that you'll be able to buy for less than $400, or build all by yourself with parts you can easily obtain online. If they can get to $6000, this will happen.

I'm particularly interested in this because its software will be the second real-world demonstration of some of my theoretical work. Some of you might remember Dejector, the "kills SQL injection dead" library I built back in 2005 (and have been really slack about keeping current, though it really needs a serious rearchitecturing). Dejector uses a technique I call "restricted sublanguages" to make sure that SQL queries which don't fit into a very limited (programmer-specified) subset of all possible queries -- that is to say, queries which have had a malicious clause injected into them -- are rejected before they get near the database. The OpenPCR machine is a networked device; you'll be able to plug it into your router and configure a PCR run via a webpage, rather than having to key instructions in on a tiny little keypad. It'll also log data for you (which you can also view in a browser) and, if you want, report results to you over Twitter or SMS.

All this fancy web stuff will be made possible -- and secure! -- through a restricted sublanguage of HTTP which I will be implementing for the AVR series of microcontrollers. (We're actually starting with an Arduino, but we might move to pure AVR by the time we're done.) Your contribution will help go toward making that happen, along with tools for generating custom restricted HTTP sublanguages for other embedded devices. (Networked lab tools are cool; networked lab tools that get hacked to pump out Twitter-spam, not so much.)

If you can spare a few bucks, please kick something in, and please signal boost anywhere you can think of. Thanks!

alexey_rom tweeted Edward Z. Yang's Databases are categories (based on a talk by David Spivak) the other day. I only just got round to reading it, and having done so, I recommend you do too. The notion of arrows and their properties (identity and associative composition) can be a bit abstract for the amateur/novice category theorist (like me -- hell, I wouldn't call myself more than a category theory fangirl), and mapping this onto identity and joins in databases is a really clever concretization.

There is some nerking in the comments about the relational model really being about Cartesian relations rather than object relations. This is true, but AFAICT irrelevant if viewed from the perspective of object-relational mapping (which you get for free in Postgres and Oracle anyway).

Where I think this is really useful is the world of higher-order query languages. Category-friendly languages such as Haskell have already made a good deal of headway into database APIs; I do not yet know of any projects that (for example) can create a schema from a set of objects and morphisms, but (continuing the example) I could see using that approach to generate all necessary foreign key constraints from an ORM.

I owe the Berlin trip a proper writeup, but some highlights: talk went extremely well, saw many old friends and acquaintances, came up with yet another paper we need to write with Dan Kaminsky, had some interesting discussions about a computer science curriculum that emphasizes security from the get-go, narrowed down the scope of some tools I need to write in the very near future in such a way that I can put together a proper spec now, got invited to give our talk or something very much like it again at Dartmouth. enochsmiles and I co-present extremely well, which bodes well for future joint presentations (which I enjoy better than solo presentations, when they go well at least).

We also sort of got stuck in Berlin after seeing foxgrrl off at TXL, as it turns out that trains from Berlin to Leuven are not to be had after about 2 pm; the farthest west we could have gotten was Liège. A glance at a rail map suggested a wild possibility: Saarbrücken, so on a wild shot I called oralelk's office and got him on the first ring. Despite not having had much contact at all over the last, um, five years (bad Meredith, no cookie!) he was still quite happy to have us crash on his couch for the night, even coming out to meet us at 11:30 at night, staying up to chat, and putting off going in to work until well past 11 am despite having quite a lot of work to do. It was rapidly discovered that Saarbrücken is one of the least convenient places in Germany to get to Belgium from; our options were basically the ICE high-speed train to Paris and the Thalys to Brussels, or a bus to Luxembourg and two trains for roughly a quarter the price. Thus I have now been to Luxembourg, making that eight countries so far this year.

I have also just received notification that our Black Hat talk has been accepted. Thus, I will be both there and at the Open Science Summit in Berkeley immediately thereafter, July 29-31. (Current plan is to arrive in CA on the 30th.) Unfortunately, this will mean missing DEFCON, for me at least; I'm not sure about enochsmiles.

It is going to be a wild summer, with tools to write and a journal article to finish and a couple of big chewy proofs to prove on top of all my normal work. But I'm excited!

I am on a train to Köln. It has wifi and small German children who think my laptop and leather trenchcoat are the Most Awesome Thing Ever.

(Several increasingly loud "Nee"s later, the child's mother has recovered him. Look, kid, I speak bad Dutch and no German, but if I'm pushing your hand away from my keyboard, get it away from the damn keyboard.)

After Köln, it'll be the night train to Berlin, then lots of coffee and a talk to give at a conference. Have a great weekend, everyone!